The projected cost of cybercrime is $6 trillion annually by 2021, making cybersecurity a critical issue for every organization. Just how much do companies spend on cybersecurity? According to the 2020 State of the CIO survey, the average company devotes 16 percent of its IT budget to cybersecurity.
But 2020 has been anything but normal for cybersecurity costs and budgets. COVID-19 forced every organization to adjust cybersecurity budgets instantly, as companies shifted to remote work and had to deal with a number of unplanned security issues.
As organizations begin planning cybersecurity budgets for 2021, there are a number of factors to consider, including the impact of the pandemic. Recent research from McKinsey found that 70 percent of CISOs plan on asking for significant increases in their cybersecurity budgets for the coming year. It’s important to spend wisely.
6 things to keep in mind for your 2021 cybersecurity budget
There are many factors to take into account when planning your cybersecurity budget, including:
- Company size
- Compliance requirements
- The type of data collected/stored
- Mandates from Board of Directors
It can be difficult to know the best way to spend your dollars. We suggest using the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a roadmap for cybersecurity budget planning. The NIST Framework lists five core areas that need attention in every cybersecurity program. The five focus areas are:
- Prevent – The goal, of course, is to prevent as many attacks as possible. However, with the development of new attack vectors and the addition of more and more information systems into businesses as they modernize, the chances of preventing every attack from happening decreases.
- Detect – The earlier a threat is detected, the faster a company can respond to it. Quick detection is key to lessening the damage done to data, money, and your organization’s reputation.
- Identify – Identifying the attack, determining if it is a false positive, and classifying the attack are crucial to determining the appropriate next steps. This requires visibility across information systems and trained personnel to analyze the Indicator of Compromise.
- Respond – Executing the appropriate countermeasures to an attack (and doing so quickly) is key to keeping the damage to a minimum.
- Recover – Recovery involves bringing systems back to their normal state and providing information regarding the attack. This data can be used to prevent the same attack (and others similar to it) from happening again.
Organizations should revisit these five areas every year during budget planning to determine how they can wisely spend dollars on how to improve each area. Of course, every year brings unique challenges to cybersecurity, and 2020 has been nothing but normal. As organizations plan for 2021, we have 6 top things to keep in mind to ensure a successful cybersecurity strategy. These tips will not only help you prepare for the coming year, but will also ensure your organization remains focused on the NIST Cybersecurity Framework.
- 1. Be proactive, not reactive
- 2. Continue to respond to COVID-19
- 3. Consider implementing a SOC
- Lack of visibility into the IT infrastructure (70 percent)
- Turf and silo issues with IT (64 percent)
- Need for better automation (71 percent)
- Burnout from too much work (75 percent)
- 4. Make sure you can measure performance
- 5. Look at cybersecurity spending by industry
- 6. Use a vCISO to gain additional expertise and buy in
Many companies take a reactive approach to cybersecurity. They wait for an incident to happen and then respond.
A proactive approach puts procedures, tools, and systems in place that help detect attacks quickly to limit the damage of the attack or prevent them from occurring in the first place. A proactive methodology also includes proper training for staff so they know how to respond to a threat swiftly and effectively.
The biggest benefit of a proactive approach is that it reduces the chances that an incident will occur, aligning with the focus on prevention laid out by NIST. Even if a breach does take place, you will be ready to mitigate it quickly using known and practiced procedures, keeping the damage in check, which can save your company massive amounts of money.
Cybersecurity tooling can be overwhelming. We recommend keeping the amount of tooling to a minimum. Stick with tools that have a laser focus on protecting important and sensitive data and business functions. Don’t waste money on fringe case protection products.
A wise investment when it comes to cybersecurity tools is a next generation antivirus (NGAV) tool that has the capability to be upgraded during an incident. A common misconception is that NGAV tools are too expensive. There are, however, affordable solutions (such as Carbon Black) that are comparable in price to traditional antivirus products while delivering a bigger bang for the buck in detection and defense capabilities. Make sure that you consult with your Incident Response team on the tooling that they use or recommend to enable rapid response in the event that they are needed.
An Incident Response Retainer service is an excellent investment for companies that want to take this proactive approach. Your organization benefits from having a dedicated team of cybersecurity experts on call should you suffer an attack. A team that is already familiar with your systems and network can respond faster and remediate issues quickly, reducing the cost of a cybersecurity attack.
Simulation exercises are another excellent investment that can prepare your security and IT teams for a potential attack. You can find out just how well-prepared you are to respond to an attack in real time. It’s even possible to conduct testing from a strategic level to find out how well managers and executives are able to handle an attack through tabletop exercises.
Budget dollars directed towards these types of proactive measures increase your company’s defenses against an attack and ensure your team is well-equipped to respond to an attack should one occur.
The working world changed overnight when COVID-19 hit. Companies had to shift their cybersecurity priorities to adjust.
Rather than focusing on maintenance and planned projects, security teams had to make sure they could establish and maintain a secure remote working environment. Budgets shifted to items such as patching remote systems through Virtual Private Networks (VPNs).
The increase in cyber attacks post-COVID further compounded the situation. Phishing attacks alone increased from 5,000 in February to more than 200,000 in late April. Previously planned projects were put on hold, and many organizations have yet to return to them as the pandemic lingers on.
As we move into 2021, companies will continue to focus on creating a secure remote work environment, with the biggest spending increases expected to be devoted to network security, identity and access management, and messaging security. Endpoint security, managed security services, security and vulnerability management, web security, and data protection will also see small increases in spending as organizations plan for the future. Companies will also devote more time and money to security training in an effort to better prepare all employees to respond to an attack.
Security Operations Centers (SOC) are becoming more popular within organizations. A SOC is a dedicated, centralized unit that uses people, processes, and technology to monitor and improve cybersecurity.
A SOC enables your organization to quickly detect security Indicators of Compromise in information systems, determine if they are true or false, and to react extremely quickly to limit damage to the business. A SOC will also help piece together information quickly during a forensic investigation should a cyberattack occur, helping to lower the the cost of an incident.
Many organizations aren’t aware they are under attack until it’s too late. The average dwell time (the time between when an attacker gets into your network and when they are detected) ranges from 43 to 895 days for SMBs. Specifically, the average dwell time for malware is 798 days, while the dwell time for riskware is 869 days. Theses statistics demonstrate that many breaches go undetected for months, at which point it is too late to effectively mitigate the attack and the damage that it causes. The detection measure that come with a SOC enable organizations to reduce the average dwell time, so they can respond swiftly and effectively to an attack.
A recent survey found that more than one-third of an organization’s cybersecurity budget is being spent on SOC. More than 70 percent of respondents described SOC as an essential or very important part of the company’s total cybersecurity strategy.
At the same time, there are some challenges, with many SOC team members changing careers, largely due to stress. The survey uncovered a number of reasons why SOC team members are looking to jump ship:
As an alternative, businesses may want to explore Security Operations Center as a Service (SOCaaS). SOCaaS is a managed security service that provides continuous data analysis, threat intelligence, and security incident reporting.
You get all of the benefits of a Security Operations Center without having to worry about retaining the right talent in-house to keep the operations running smoothly. Should an Indicator of Compromise be identified, some SOCaaS providers will even join you in a screen sharing session to validate it, working closely with your internal team as an integrated part of your cybersecurity efforts.
The best way to know how well your cybersecurity program is performing is to measure it. A recent survey uncovered some common methods for performance tracking, with 59 percent of respondents calculating the reduction in the attack surface as a measure of effectiveness. Other metrics used for performance include improvements in compliance and the speed and accuracy of responses, with 44 and 41 percent looking at these metrics respectively.
We recommend that organizations truly interested in measuring performance over time make use of vulnerability management, which uses tools, processes, and procedures analyze and prioritize vulnerabilities. A comprehensive vulnerability management program uses tools to conduct internal and external scans. This date can be used to analyze and prioritize vulnerabilities, uncover trends, and determine how to mitigate vulnerabilities. An investment in vulnerability management enables you to make accurate assessments about your overall cybersecurity program quality and identify areas needing improvement. Be sure to look for a provider that does more than just scans. While scanning tools are important, it is the people involved in vulnerability management that are ultimately responsible for the success of the program.
There are other tools and methods for measuring performance that can be used in conjunction with vulnerability management. Security awareness, training phishing click rates, and training scores indicate overall success. Tabletop exercises show the business’s performance and preparedness for cyberattacks and the associated KPI’s. Red/Blue exercises and penetration tests conducted year over year indicate progress in both processes and procedures for the Information Technology and Information Security teams and how well they are collaborating with one another to defend the organization.
Investment in these tools and services enable organizations to see how well they can identify, respond, and recover from attacks.
Data on specific industries is useful when planning your cybersecurity budget, as it helps you see what competitors might be doing. McKinsey has predicted that healthcare systems and services will see an increase in cybersecurity spending over the next 12 months among businesses of all sizes.
The company also expects to see a small increase in spending within banking and financial services; technology, media, and telecommunications; public and social sectors; and insurance. McKinsey predicts that cybersecurity spending will decrease among the industries hit hardest by the pandemic, namely consumer and retail, advanced industries, global energy and materials, and travel, transport, and leisure.
As you work on your cybersecurity budget, it can be difficult to gain buy-in from executives who may not have a comprehensive understanding of why each element you are proposing is important. A Chief Information Security Officer (CISO) is invaluable when it comes to selling your budget to the C-Suite.
If you don’t have a CISO, a virtual CISO (vCISO) can provide the same benefits at the fraction of a cost. A high-quality vCISO will work closely with you to create your cybersecurity budget and provide the type of detailed information needed to win support from the executive level.
As companies of all sizes and industries continue to adapt to COVID-19 and the ever-changing cybersecurity threat landscape, it’s critical to know how best to spend your cybersecurity budget. Proper planning and resource allocation is essential for ensuring your company is prepared to prevent, detect, identify, respond, and recover in every cybersecurity situation.